A security token is used to store an entity, for example a user's digital identity. The digital identity has many uses, such as building access, signing of emails, access to computer systems and obtaining monetary trust. The inherent security mechanism that protects a user's digital identity from being used fraudulently is a combination of security token characteristics and a Personal Identification Number (PIN) known only to the user. The PIN is usually a four digit number which is used to authenticate the user to the security token. Successful authentication of the user to the security token allows the user access to the resources and data contained in or available using the security token.
The use of a four digit number has an inherent weakness in today's E-commerce environment. A four digit number has only ten thousand possible combinations. As such, access to a lost or stolen security token could easily be accomplished by entry of random PIN combinations until the correct PIN is determined. To address this inherent weakness, a security mechanism is generally incorporated into the security token which counts the number of sequential incorrect PIN entries and blocks the security token from further access after a predetermined number of sequential incorrect PIN entries has occurred. This is the situation in which the security mechanism is designed to protect against.
The security mechanism, while simple to implement and reasonably effective may inadvertently block out an authorized user due to common keyboarding problems such as a stuck key, incorrectly replaced key cover or difficulty in determining when a keyboard entry has occurred. Another increasingly common problem, a user will have memorized several PINs for various service providers which lends itself to entry of incorrect PINs. Once blocked, the only way that a user can revive access to his or her security token is to have the security mechanism reset by an appropriate support organization.
This becomes problematic in large organizations as the time and effort to reset the security mechanism usually involves physical presentation of the security token by the user to the support organization. The physical presentation requirement allows the support organization to visually identify the authorized user and maintains close control over post issuance security token management. As is apparent, this process negatively impacts the productivity of both the user and the support organization and increases overall administrative costs to the organization.
Alternatives to physical presentation of the security token include the use of a telephone support call center. An example of which is disclosed in U.S. Pat. No. 6,360,092 to Carrarra. The '092 patent requires a user to telephone a maintenance center to telemetrically reset the security mechanism in the token. This method alleviates the physical presentation requirement but does not significantly reduce the productivity loss to the user and the support organization.
Thus, it would be highly advantageous to provide a mechanism which allows an authenticated user to unblock their own security token, while ensuring that the user initiated unblocking procedure is securely performed to prevent fraudulent unblocking or otherwise compromising the resources or data contained in or available using the security token.